Tag Archives: Security

Cybersecurity Part 4: Surviving Ransomware

By Tony DePrato | Follow Me on LinkedIn

The scope of all the following arguments is for equipment owned by the school, or equipment approved to use at school. This post is not promoting policies for personal devices used solely at home, nor is this post addressing devices that may be used for entertainment or non-academic purposes.

Ransomware, in its most basic form, is self-explanatory. Data is captured, encrypted, and held for ransom until a fee is paid. The two most common forms of ransomware delivery are through email and websites.~ https://insights.sei.cmu.edu/sei_blog/2017/05/ransomware-best-practices-for-prevention-and-response.html

Ransomware is scary. Ransomware, once it begins to propagate, becomes more about survival and mitigation and less about prevention.

I have thought about how to advise K12 schools around the world how to prepare for ransomware. I have concluded that there are only two approaches everyone can follow: Reduce or Completely Remove Windows and Create Very Inconvenient Backups of Data. 

Reduce or Completely Remove Windows

I decided to compile known types of ransomware. I stopped at 106 identified types. Here is a graph, and link to the sources, that demonstrate what operating systems are vulnerable:

Screen Shot 2020-02-19 at 8.58.44 AM
Data Link

If you want to do the math:

  • 106 Ransomware programs
  • 100 Target Windows Operating Systems
  • 93%-94% of Targets are Windows Operating Systems
  • Using Windows is Riskier than Using other Systems

“Riskier” is a little weak in this case. It is very likely that Windows users will be a target, it is very unlikely that Apple and Chromebook users will be a target. 

If the goal is to live in a relatively peaceful ransomware free environment, then the majority of end-users need to be using Apple or Chrome-based devices (Linux varieties are also an option for a subset of users). 

There are tools for Windows that help defend and protect against ransomware. However, nothing is better than not being attacked at all.

Create Very Inconvenient Backups of Data

Every time I ask an IT director or IT manager about backups, they claim they are 100% compliant and 100% able to deal with any problems. I have never believed my planning was close to 100%, nor have I ever believed I could restore 100% of all data. I would say, at my best, I am 60%-70% certain that I can restore 80%-90% of data. 

Data. Not operating systems and settings. Data. Not the software that was installed. Just all the data consisting of but not limited to documents, databases, movies, music, pictures, special configuration files, scripts and code, and the inclusive content of all websites.

There is only one question a person needs to ask to confirm if backups are safe from ransomware: “Can the backup be accessed right now if we need it?”.

If the answer is ‘Yes’, then backups are going to be vulnerable. 

There should be at least two layers of backups. Layer one can be data that is backed-up and accessible on the network, in the cloud, and/or from normal workstations. Meaning, someone can sit down and create or restore a laptop, database, etc by following a workflow at their desk. 

Layer two backups are inconvenient. These backups are stored outside of the normal network. These backups are scheduled and not even accessible by network administrators without taking extra steps. These backups require some level of multifactor authentication or even a physical lock and key.

Backup

Layer two backups also need to be tested at least monthly (this is only recommended for K12 schools most businesses need to test more frequently; school districts would need to test very often and on a predetermined schedule).

Tests need to include:

  1. Data restoration
  2. Data access and use
  3. A scan for malware, ransomware, etc
  4. An iterative process to consistently reduce the size of backups
  5. An archival process to store data that will most likely never be needed, but is legally required to store
  6. Imagination. Because you never know where you will be and what the situation will be when you need to access these backups

A very low tech approach to a layer two back-up could include someone taking an external drive to the data source, moving the data manually, and then locking the drive in a safe. Do not overthink this, just start doing it and keep improving the process. If you can access these backups from your workstation, then those backups are vulnerable by definition.

If ransomware happens, and the data cannot be decrypted, this layer two data would be safe as it would be offline. Layer one backups may stay secure, but layer two backups will be secure unless you are victim of very bad timing. 

The cybersecurity industry is rapidly developing better protocols for handling ransomware. Staying educated and studying cases is not only essential, but it should also be scheduled into the cycle of work at least once every 6-8 weeks.

The data above could change. An uptick in ransomware for Chrome or Apple of even 1% is enough to review internal processes and procedures. Until then though, get the number of Windows OS users down and make better backups. 

businessman hand holding money banknote for paying the key from

Start Your Research Here

Ransomware: Best Practices for Prevention and Response

https://insights.sei.cmu.edu/sei_blog/2017/05/ransomware-best-practices-for-prevention-and-response.html

CyberSecurity Part 3: Simple Penetration Testing for K12 Schools

By Tony DePrato | Follow Me on LinkedIn

Cybersecurity Part 2 will be featured in the Tie Magazine. After it is released, I will post the article on the blog.

I have been following a few online threads where schools are considering contracting penetration testers. For those who may not know, penetration testing (pentesting) is a security assessment, an analysis, and progression of simulated attacks on an application (web, mobile, or API) or network to check its security posture. The objective is to penetrate the application or networksecurity defenses by looking for vulnerabilities. These are usuallyweaknesses or flaws that an attacker could exploit to impact confidentiality, integrity, or availability. This goal is the same whether performing application pentesting or network pentesting. ~ https://cobalt.io/pentest

As a consultant, I am not opposed to K12 schools using consultants. However, I have seen some red flags out there from pentesting consultants. I want to highlight those issues, and also provide a method for K12 schools to get started on this process in an easy and low-cost manner.

Finding a Good Pentester

The Conversation

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented). 

School: What do you need?

Pentester: I need a list of (x,y,z). I need an office to work from. I need to interview…

What is wrong here?

Here is how this should go

School: We are looking for someone to help test our security.

Pentester: Great. I can do that ( credentials and background presented). 

School: What do you need?

Pentester: I need a contract protecting me if I break into one or more of your services. I need a contact person to send my findings to. I need a timeline. 

A pentester’s job is to find the weaknesses and to find a way to access your organization. If you provide access, not only is the job easier, but they could simply report an issue that is unlikely to occur. I witnessed a similar scenario where a firm was asking for the keys to break into the car.

There may be a point where you want a pentester to become a student and see what a student can do with the access provided. There may be a point where you want them to test spaces used by the public during events.  If you provide and manage laptops, a good pentester will need one of the school’s laptops. 

These are reasonable requests. Asking the school to literally give them a roadmap and set of targets is not reasonable. 

Doing Your Own Testing

I have a list of standards schools should work towards to be secure. Some these do not always connect well to third party services, public-facing websites, etc. 

Over the last few months, I have developed a checklist for pentesting K12 school websites and resources. 

TestDefinition
Subscription and Services DiscoveryCan your subscriptions and services be easily discovered?
Files Exposed to the PublicAre there files publicly available that supposed to be private?
Calendars Exposed to the PublicIs calendar data that should be private, private?
Staff and/or Student Email HarvestingCan your staff and/or student PII be used to create a database for phishing and spamming?
Portals and SISAre your portals and SIS properly secured and difficult to brute force attack?
Websites and Social MediaAre websites and social media properly secured; is the media being used legally and correctly?
Cloud ServicesHave cloud services been properly secured?
Third-Party SharingIs anyone sharing your content and do they have permission?
FTP, SSH, and TelnetAre any of these protocols a threat to your school via publically accessible information?
Email BlacklistIs your email domain blacklisted?
Email Header CheckIs there any data in your header that could be anonymous or lead to blacklisting?
Email Catch-All for Non Existent EmailsIs your email set up to catch any email that does not exist and alert someone?
SMTP RelayIs your email system running services that would allow an attacker to use your email for a criminal act; send an email on someone’s behalf?
4xx and 5xx Error CheckDo the 4xx and 5xx pages on your public-facing services configured properly and supportive of trusted users?
HTML FormsAre any HTML Forms vulnerable to low-level URL based attacks? (Will also review CAPTCHA.)

I score these on a scale of 1-5 and document the issues/results. The next level is researching the solutions to correct the problems. Keep in mind, many solutions are in policies and procedures. This means issues need to be articulated for school leaders, teachers, students, and parents. 

In other words, avoid jargon and lingo.

Doing as much due diligence as possible before contracting someone will not only save time and money, but it will also help to further educate the community.

If you do not know what is actually dangerous, then everything could be sold as dangerous. 

Finding SSO: Complexity for IT, Simplicity for You

By: Tony DePrato | Follow me on Twitter @tdeprato

SSO, or Single Sign On, is something I often discuss with school leadership, teachers, parents, and students. SSO refers to the ability for users to have one login and password that gives them access to all, or the majority of, the services they use. I have achieved this, and I would like to share the path I followed.

The Scope

The scope of SSO is very important. Many people will feel they have achieved SSO if their Google Apps account connects them to a few services. I would classify this as a very limited scope.

In the SSO implementation I am suggesting, the scope is:

  1. Email and Groupware Systems/Cloud (Google Apps, Office 365, etc.)
  2. School Information Systems (For example, PowerSchool)
  3. School Wifi and LAN Network Access. Accessing the network with the single account. This prevents unauthorized users from simply using the network with a shared SSID.
  4. Login Windows for School Owned Laptops and Desktops. This means users apply the same username and password for the school hardware.
  5. Printing and copying access
  6. Additional systems such as Follet Destiny, BrainPop, etc.

With this implementation, all the core IT services on-and-off campus can use, and require, the SSO. Each user uses one username and password to connect to 90% of their resources; and they simply match their username and password on systems that may not be compliant.

For the end sure, this is a transparent process.

The Heart of the Solution

Are you a Google Apps for Education School? If the answer is ‘yes’, then the answer to true SSO is a bit more complicated. Google does not offer a traditional directory service. In order to facilitate a full SSO implementation Google schools need a middle solution.

The concept is that the middle solution has permission to access and use the Google Apps accounts. Once this is enabled, the middle solution will sync and/or translate access between services. The login will either be the username(which is the first part of the email), or the full email itself. The password is managed in the middle solution.

I do not like to promote any specific services. However, for this design I made a special agreement with a company called JumpCloud. There are other services that will do the same job, and unlike traditional methods used for SSO, these cloud based solutions are easy to migrate from in the future.

If you are not a Google Apps for Education school, then odds are you do have Office 365. Microsoft now provides most of the needed features in their Azure Cloud, using Active Directory in the Cloud. This can be free, or licensed, depending on your needs.

If you do not have Google or Office365, then you probably can use any number of Open LDAP Cloud services, or you could technically build and host your our service with Amazon.

If you notice, I am staying in The Cloud. In my experience, very few schools have the in-house talent and resources to facilitate SSO using onsite servers. They can get the services to work, but the speed and quality is no where near that of the cloud based providers. I used a self-hosted solution in China for four years, and once I was able to move off-sight, the end user experience greatly improved.

Enough of the Tech Speak

If you are not working in technology, the sections above will help you immensely in speaking with your technology leadership about SSO. However, to rebound from the monotony of SSO vocabulary and processes, I would like to take a trip through the end user experience.

A new person (employee or student) joins your school. They sit down, and they activate their GMAIL.

When the GMAIL is activated, there is a message in their inbox. They open it. The message directs them to the middle solution provider. The user re-enters their password, and confirms their email.

A few minutes later they get another email, this one is for Office 365. The user opens it, and agrees to terms or service by entering their username and password.

From this point on, that username and password are now linked to all the services, including the school owned devices and network.

The initial steps can be done for new staff before they come to the school. This is an excellent time saver, and I find that new staff like this engagement. If they make a mistake, their email will always work for them. The other services are not critical until they arrive.

The student experience is a little different. I find it is best to have an initial registration process and location for new students. In this location, the WIFI network is open.

However, after they activate, they switch to their official network, and they sign-in with their new ID. Remember, there is no anonymous access. Once implementation is over, only those who are trusted members of the school can use the same networks as students and employees.

If you want to know more about creating seamless SSO experiences, or if you would like to share your own experience, please comment or email me directly, tony.deprato@gmail.com .

Thanks for reading.

 

 

 

Access Denied: Controlling What Students Can Access

By: Tony DePrato | Follow me on Twitter @tdeprato

Recently I have been discussing multiple new security measures for academic networks. From these discussions with other schools, engineers, and suppliers, I have created set of goals to help keep the development of network security on track and within budget.

Physical Access

Physical access can be managed without a great deal of expense. The goals to reach for are:

  • We allow only the devices we have confirmed and labeled
  • We can control the number of concurrent devices a user is using on the network
  • We can identify by IP, Serial Number, or MAC Address (or a combination of the three) the owner of a device
  • We can remove a user from network access, and restrict their devices, with minimal effort
  • We have processes and procedures to register devices; users can switch devices through these processes
  • Users can only circumvent the processes by giving their login IDs, passwords, and hardware to another person

These goals do not imply the direct management of equipment; nor do they capture user data. These goals ensure that devices on the network are approved, registered, and can be clearly identified.

Achieving these goals is the first step towards the concept that accessing the network is a privilege not a right. Privileges can be revoked. If revocation is not possible, then the concept/policy cannot be enforced.

Guest Access

Guest Access can be problematic for schools.  However, if your school is in a country that requires you to perform due diligence for network/internet access, then the Guest Access should be provided in a limited fashion, and only when necessary. Please review the laws governing access; especially where children under 13 are present.

If you are not sure what the laws are in your country, start here.

Topology

Topology refers to the way in which constituent parts are interrelated or arranged.

These are the topology goals that should be met before additional security is added:

  • Students, Teachers/Staff, and Parents/Guests are never on the same network/same IP range (not just SSIDs, unified IP ranges and access across the network should be prohibited)
  • Printers and other devices are not on the same IP range as the Wifi; those with access to printers and devices must be provided access
  • Data sharing should happen in the cloud; or in a device that has been configured with user authentication
  • LAN ports should not be using DHCP, if those ports are physically accessible by teachers, students, parents, or guests
  • Equipment on the LAN should be managed; given an IP address; and be easily identifiable
  • VLANs need to be created to meet most of the above requirements; VLANs should be planned out on paper and clearly mapped for decision makers to understand
  • All Access Points need to be named and numbered to reflect their exact location on campus

Web Filtering

Web filtering is often sold to schools as a turnkey holistic solution to manage content that students access. The truth is that web filtering will only, and always, be partially effective with students. Web filtering is highly effective in meeting the following goals:

  • Controlling what teachers and staff access
  • Controlling what guests access
  • Controlling what school owned devices access (devices that stay at school all the time)
  • Preventing accidental content being shown/broadcast on school owned devices
  • Meeting most due diligence standards concerning laws that govern content access and control
  • Showing an overall data set to help guide decisions based-on what people are doing and trying to do online

Web filtering has two main issues. First, HTTPS content can be blocked but not read.
This means when students go to HTTPS websites, the school will not know what they are doing, and/or interacting with on those site. Since 2018, HTTPS is used more often by webusers than the original non-secure HTTP. A few years ago, a person could type http://facebook.com . Today, everyone is forced to https://facebook.com .

Because many schools want to use web filters to study student access data, they will fail to achieve that goal, regardless of the fact the filter claims it can read the data. The filter can read some data, but not all; and currently not most.

Second, students can install and run VPN services fairly easily. When they do this, most filters are circumvented. Keep in mind that good VPN services are not free. Having those difficult conversations with parents at the beginning of the year, and as frequently as possible, is often more valuable than new snazzy technology solutions. If parents enable behavior, it is very difficult for school policies to be successful.

In summary, Physical Access, Guest Access, and Topology goals are usually achievable with current network hardware and software solutions employed by schools with a population of 500 users or more. Achieve these goals first, before investing in web filters or other solutions.

Remember, giving students freedom to work and create will create security loopholes. Depending  solely on technology solutions in an environment where education opportunities are abound is a bad strategy to pursue. There is no substitute for engaging students in dialog when they are acting inappropriately.

Keeping Your Campus Safe: Who Can Do What

By: Tony DePrato | Follow me on Twitter @tdeprato

When a school network is designed, various levels of access have to be created to manage content access. The easiest way to approach this is to place students, teachers, staff, and others into groups. The group is then managed. If an individual becomes untrusted, they become a non-group member, and thus cannot access anything.

Groups have an ID, this is something people never see. To get into the group, people have a personal ID, this is something people use everyday. They never consider all the places their ID (username and password) travels.

In the physical space, group IDs and access indicators are also needed. These need to be designed so they can be visually recognized by members of the community. In addition, buildings and facilities need to be designed to accommodate certain groups, but not allow others.

Group IDs in the Visual Space

I have already spoken about uniforms, but many schools do not use uniforms. Dress code is definitely a manner to identify a group students, but beyond that, there are many other ways to know who is who and what they should be doing.

IDs

Student IDs are often the same for all student, and many are the same template as staff IDs.

IDs for different groups should vary visually. This allows anyone to quickly look at the color, and make a decision about access to facilities, food options, etc. Having to stop and read, requires engagement. Engagement either requires a sense of authority, or it can make a person feel as if conflict might ensue. Colors remove the direct engagement aspect of managing people in physical spaces from those who might only want to report a problem.

For example:

K-5 Students

6-12 Students

K-5 Teachers

No Go Zones

Libraries, Cafeterias, and other large areas should have spaces that are “student only” and “parent/guest only”. These spaces should separate students by age group when possible.

People who are managing these spaces need to manage problems over a larger landscape. They should be able to politely direct anyone to their proper area, without conflict. These areas can be labeled, and color coded. Colors could match IDs (or guest passes) to help everyone navigate.

For example, students in the middle school might have red ID cards. Middle school bulletin boards, information screens, etc., could all have a red border. Anyone noticing a student with a blue ID, would immediately realize that student is in the wrong building. Trying to sort students by size is something teachers try to do, but that practice is not very accurate when students are close in age.

Driving and Parking

Access to campus often starts with transportation. Although schools usually have buses and public transportation options planned, personal vehicles are often loosely managed, or not managed.

Schools tend to believe that issuing parking stickers to people, and then assigning them a parking lot/space, is enough. However, schools need to consider why people need to drive, and if it should be a right or a very limited privilege.

I have worked at one school that had no parking at all. It was in a city, and space was at a premium. If people needed to drive and park, they had to use public parking options. This meant that it was nearly impossible to have unscheduled visitors. Anyone coming to the school would make an appointment to ensure their paid parking was used efficiently.

As people evaluate campus safety, they need to consider that anyone looking to create a negative situation would need a staging area. There would need to be access close enough to the school to allow someone to prepare. Vehicles make excellent staging areas. The closer vehicles are to buildings and entrances, the greater the risk.

In addition, schools are full of children running around and not always paying attention. Vehicles allowed to move within spaces where children are walking can be very dangerous. Ideally, these types of vehicles should only be allowed if escorted or properly directed.

If I really wanted to make campus access secure, I would run shuttles from designated areas. In an ideal world, those areas would be owned by the school, but at least 5 minutes from the campus by shuttle.

A small parking area could be created for certain groups of people, but all visitors and guests would be scheduled and shuttled into the campus.

Students would never be allowed to drive to campus. They would need to park and shuttle; or park and bike/walk to school.

School’s should be friendly communities, but communities are often not in the public domain. Access management is important, and it does not have to be overly complicated or expensive.

Group privilege is a privilege. It can be earned. It can be lost. It must be managed.

Understanding Ransomeware


                     By: Tony DePrato | Follow me on Twitter @tdeprato

On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages. This type of malicious attack is classified as ransomeware.

The ransomeware concept is fairly simple. Once the package infects a system, it begins to encrypt all the data. The data is still on the machine, but it is not accessible unless the user enters a decryption key. In order to obtain the key, money must be sent to the “owner” of the ransomeware. Usually this money is requested in the form of cryptocurrency, to make it difficult (if not impossible) to trace the payment.

Ransomeware Targets Everyone

Schools often believe that certain security measures and protocols followed in the corporate world do not apply to them. There is often a consensus on-campus that technology needs to be friendly and open. Because of this cultural approach to planning technology many rules and regulations are simply not followed, especially if those rules and regulations are designed for extreme scenarios.

For example, it would be odd to find a school that did not have user managed passwords for email. When users get their email account, they change and manage their own password. However, if someone recommends that school personnel setup multistep authentication, that expires every thirty days, that recommendation is probably going to be rejected. Any multistep authentication process requires that users learn more about security and manage security more regularly. If a user makes a mistake, the delay for resetting their services is often considered unacceptable.

IT policies and procedures that would prevent a school from being a victim of ransomeware, or other sophisticated attacks, are going to be policies that create barriers and limits. These measures would slow people down at times, and restrict certain types of technology from being used on-campus.

Managing network and data security is a discipline that must be followed regardless of an organizational mission or definition. Best practice scenarios need to be studied as universal best practice scenarios. Studying best practice scenarios for only a single type of organization (like a K-12 International School) limits exposure to case-studies, creative ideas, and threat assessment.

Ransomeware Prevention and Protection

Investing money and IT security planning have something in common. If a person makes a future decision, strictly on past performance, they are very likely to be investing in a plan that is expensive with lower future yield. IT security threats work because they are original, and because a purchasable defensive solution was not available at the time of the threat.

Many organizations make the mistake of preparing for the future by buying protection for a threat that is no longer unique.  This is useful if the threat resurfaces, but it is useless against new threats.

If an organization truly wants to be well prepared for ransomeware threats, everyone in the organization should be able to answer ‘Yes’ to this statement:

“I can take my laptop/desktop/primary device and throw it away right now without severely impacting my work or life.”

Answering ‘Yes’ to that statement means that a person understands the data  is more important than the machine is resides on. Just like investing in retirement, only diversification will save someone during a new and aggressive IT security threat.

There are numerous ways to achieve a high level of data diversity and redundancy. Here are a few that can be implemented with policy and practice:

  • The standard for file storage should be in the cloud.
  • Do not use SYNC software such as Google Drive Sync or OneDrive sync.
  • Laptops given to staff and students should have very small hard drives to discourage hoarding data and storing old files.
  • Weekly or Monthly archiving of data should not be in the same environment as data for daily work. For example, I use Google Drive everyday for work, but once a month I backup the important data to DropBox. The larger archives are for emergencies, and held within a different environment.
  • Offline backups on external drives are good, but hardware can fail. Consider what data is critical and make sure the offline backup is not the primary copy.
  • Systems like TimeMachine can actually corrupt data if they are backing-up automatically. Consider manually initiating backups, only after you have scanned your machine/servers for malware.
  • Photos and media can be challenging to keep organized in the cloud. Services like Google Photos, Instagram, etc. are designed for media. Use media centric services to manage media.
  • Email is not for data storage. If email is compromised, the communication threads should be all that is lost.
  • Schools using local network shared drives and NAS systems (Synology etc.) need to be restrictive and vigilant with permissions. If these services have been planned with “Ease of Use” as the driving force, they are at risk of being turned into an engine that will rapidly spread a threat.
  • Limit non-cloud based data sharing to special groups or departments to reduce the need to constantly update and patch these systems.

A final note to those who are making and enforcing policy. A single human vector who introduces one of these threats onto a network can create a cascade of destruction. Allowing anyone to circumvent a policy because of their title or position is placing everyone at risk.


WannaCry RansomeWare Impact
The ransomware campaign was unprecedented in scale according to Europol.[9] The attack affected many National Health Service hospitals in England and Scotland,[50] and up to 70,000 devices — including computers, MRI scanners, blood-storage refrigerators and theatre equipment — may have been affected.[51] On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted.[12][52] In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP.[46] NHS hospitals in Wales and Northern Ireland were unaffected by the attack.[10][12]
Nissan Motor Manufacturing UK in Tyne and Wear, one of Europe‘s most productive car manufacturing plants, halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware.[53][54]
According to experts[who?] the attack’s impact could have been much worse if no kill-switch was built in by the malware’s creators.[55][56]
Cybersecurity expert Ori Eisen said that the attack appears to be “low-level” stuff, given the ransom demands of $300 and states that the same thing could be done to crucial infrastructure, like nuclear power plants, dams or railway systems.[57]
List of affected organization
São Paulo Court of Justice (Brazil)[58]
Vivo Telefônica Brasil) (Brazil)[58]
Lakeridge Health (Canada)[59]
PetroChina (China)[16]
Public Security Bureaus (China)[60]
Sun Yat-sen University (China)[61]
Instituto Nacional de Salud (Colombia)[62]
Renault (France)[63]
Deutsche Bahn (Germany)[64]
Telenor Hungary (Hungary)[65]
Andhra Pradesh Police (India)[66]
Dharmais Hospital (Indonesia)[61]
Harapan Kita Hospital (Indonesia)[61]
University of Milano-Bicocca (Italy)[67]
Q-Park (The Netherlands)[68]
Portugal Telecom (Portugal)[69]
Automobile Dacia (Romania)[70]
Ministry of Foreign Affairs (Romania)[71]
MegaFon (Russia)[72]
Ministry of Internal Affairs (Russia)[73]
Russian Railways (Russia)[74]
LATAM Airlines Group (Chile)[75]
Banco Bilbao Vizcaya Argentaria (Spain)[76]
Telefónica (Spain)[76]
Sandvik (Sweden)[61]
Garena Blade and Soul (Thailand)[77]
National Health Service (England) (United Kingdom)[78][12][10]
NHS Scotland (United Kingdom)[12][10]
Nissan UK (United Kingdom)[78]
FedEx (United States)[79]
Massachusetts Institute of Technology (United States)
Saudi Telecom (Saudi Arabia)[80]

BYOD and Network Anonymity

networkAnonymity

By: Tony DePrato | Follow me on Twitter @tdeprato

Many countries have begun to create or enforce new rules concerning online anonymity.

Here are some examples of anonymity rules: South Korea , ChinaThe United Kingdom

These rules are manifested in places like coffee shops that require a phone number to be verified via SMS. It is not optional anymore to allow students or staff to be online anonymously. Cyberbullying, hacking, and other issues cannot be addressed if the person (or persons) involved cannot be identified. Most school administrators may not realize how prevalent anonymous access is on many K-12 campuses.

General Policies and Procedures

There is often a knee jerk reaction to fix problems by spending money. There are plenty of nifty IT solutions to help with security, but without proper policies and procedures in place, technology will eventually fail.

Policies and procedures must be adopted and implemented from the highest levels of the organization. Any exemption creates a vulnerability. Luckily, the concepts and steps are simple enough, and they apply to both BYOD and non-BYOD schools:

  1. Every user on the network has a login.
  2. Logins are either genuine/legal names or employee/student ID numbers.
  3. Passwords are not shared or common;
  4. Every device on the network, printers included, must have the default username and password customized.
  5. School owned devices must require individuals to login; generic logins like “classroom1” cannot be permitted.
  6. Very young children who cannot manage a username and password must be assigned devices, and those devices need to have a static IP address.
  7. Children from grade 1 and up should learn to login with an individual username or using an ID number; a shared password is acceptable until grade 3.
  8. Primary school children should not be on the same network and/or Wifi as middle and high school children. This is essential to prevent older students using a younger student’s account.
  9. Teachers and students should not be on the same network and/or Wifi. Sharing should happen in the cloud or file servers.
  10. Guest access should be very limited unless there is a major event.

These policies and procedures have a two-pronged effect. First, they set a standard for the type of network equipment and design that is required. Secondly, they take very technical topics and reduce them to yes/no questions. “Are children under the age of six using assigned devices?” “Do all school owned devices require an individual login?” “Can students login to the network with a shared password?”

BYOD Specific Policies and Procedures

There is an underlying truth about letting people use equipment. If a person can take a piece of equipment to an anonymous location, they can hack into the equipment. If a school owns a laptop, and allows a student to take that laptop outside of the school, then that student can own that laptop and manipulate it.

I have demonstrated this to people who were setting policies for school owned equipment, and believing that the equipment was secure. I once unlocked a Windows laptop in 5 minutes with a USB tool I created from free software. I did this in front of three people who had deployed over 100 laptops to my campus, believing the laptops were secure. The last time a school gave me an Apple laptop loaded with “security features” I was able to circumvent the security in less than 10 minutes. The modification were never detected. The truth is, I am not even half as motivated or talented as many students. However, I can think the way they think.

A few years ago I spent an entire day with a CISCO engineer. I wanted to brainstorm with him on BYOD security. We went through all the scenarios. In the end, we came up with a good low cost set of protocols for BYOD management:

  1. The school needs 3-4 SSIDs (Wifi Names) per division. For example: Teachers,  Secondary_Students, and Guest. Primary students would not be able use the Secondary_Student Wifi.
  2. Students, Teachers, and Staff must authenticate with the PEAP protocol. This means everyone needs to login like they are in a coffee shop. A small pop-up window asks for your username and password every 24 hours (or similar concept).
  3. All BYOD access requires a 3-point authentication process: MAC Address + IP Lease + Username. (If anyone wants to know HOW to do this, please email me directly).

These three steps ensure that unless Student A gives their username and password to Student B, it is impossible for Student A to use Student B’s computer (without committing theft). This is the core issue with BYOD. A school needs to be able to show how they know what they know. The access responsibility needs to be on the students, and down to a personal choice.

As with the general policies and procedures, this protocol will help set the network equipment and configuration standards without requiring the administration to have a deep understanding of technology.

Please feel free to contact me directly with further questions or to arrange a discussion.